A Shaky Start

This year started out a bit rough on the cyber security insurance side.

Zurich American Insurance Company decide to invoke the war exclusion in its security policy for a claim filed from consumer packaged goods company Mondelez, which was one of the biggest victims of the infamous NotPetya ransomware attack in June 2017. Zurich American Insurance Company is now refusing to pay out the $100 million claim.

Originally, Zurich indicated that it might pay $10 million, or about 10 percent of the overall claim. But later it stated that it won’t pay any of the claim by invoking a special “cyber war” clause.

This clause is supposed to exclude payment by Zurich, because it claims NotPetya was actually “a hostile or warlike action in time of peace or war.”

According to Zurich, the NotPetya cyber attack originated with Russian hackers working directly with the Russian government to destabilize Ukraine. This is what Zurich has in mind when it uses the “cyber war” excuse to get out of paying the claim.

Mondelez, a snack food and beverage maker, is in turn suing Zurich for refusing to payout. Filed late last year in Illinois state court, the policyholder alleges that it suffered a nightmare cyber scenario. Two separate intrusions of the “NotPetya” virus at different locations “rendered permanently dysfunctional approximately 1700 of the policyholder’s servers and 24,000 laptops.”

According to the complaint, the virus caused property damage, commercial supply disruptions, unfulfilled customer orders, reduced margins, and other covered losses aggregating well in excess of $100,000,000. Although this figure may seem relatively low, it is because it only includes damages that can be directly and unequivocally attributed to the attack. Mondelez vs Zurich comes as the nascent cyber insurance market continues to develop with increased demand for cyber policies.

According to the complaint, after initially denying coverage, the insurer withdrew its denial in an effort to dissuade the policyholder from filing suit and to engage the policyholder in discussions concerning the adjustment and payment of the claim. After it became apparent to the insurer that the policyholder planned to file suit, the complaint alleges that the insurer re-asserted its denial of coverage based on the exclusion, as well as other defenses to coverage.

I recently was in London and had some very interesting discussions with few top-level cyberinsurers. As can be imagined the Mondelez suit is causing quite a stir in cyberinsurance circles. Although the policy in Mondelez is a property policy, some say that the suit exposes how war exclusions in cyberinsurance policies can threaten coverage for cyberattacks that can be traced back to the activities of state-sponsored actors. The outcome of the Mondelez suit remains to be seen and is under intense scrutiny by the cyber insurance community. But, policyholders can take comfort in the fact that, in most jurisdictions, insurers have the burden to prove that an insurance policy exclusion bars coverage. That burden of proof is further complicated by the difficulties associated with attack attribution and the acquisition of evidence.

In any case, policyholders should review the war exclusion in their cyberinsurance policies and consider asking their insurers to clarify its scope in light of the Mondelez case. In some cyberinsurance policies, the war exclusion contains an exception or other wording that preserves coverage for cyberattacks. But in other cyberinsurance policies, the exclusion lacks such a limitation.

The Breakdown of Trust

All cyber security people know that the weakest link we have centers around the human being.

The best policies, procedures and processes can be circumvented by a workforce and users who either inadvertently or intentionally do not comply with the framework of controls set up to mitigate risk.  Why does this occur? My thesis is that we are face a breakdown or decline in trust.

Back in the 1980’s Alvin Toffler (a futurist with many great predictions) wrote in his book The Third Wave  about the new “Information Age” and how wars would occur in the information space and not the traditional kinetic type war. 

Knowledge and information would form the basis for wealth and power and conflicts in the control of both would be the mechanisms of warfare. He also said in the “Information Age” to some degree people’s lives are modified to serve the technology. I believe he was right on the money again. We live in a world of Facebook, Twitter, Instagram, WhatsApp, Tumblr, round the clock and round the world news coverage, and we are bombarded by information from all kinds of sources.

This is coupled with social conflict and strife and changes in world politics where many factors cause mass migration of people and refugees across country boundaries. This shift in populations has given rise to a surge in nationalism as evidenced by Brexit, Make America Great and several other new social and political movements. Terrorist around the world have learned to leverage these factor and structure attacks to further disrupt societies to gain power.

We have seen tremendous rise in phishing, smishing and vishing attacks where malicious entities try to take advantage of human trust through social engineering to steal their assets. Just recently I saw an article (see – https://www.techspot.com/news/79402-office-depot-pays-ftc-25-million-allegedly-using.html) where even Office Depot has used subterfuge and malware scams to generate business.

Who can one trust in this environment?

Who is looking out for individual privacy rights and economic and social justice?

Can we trust companies and governments to intervene on our behalf?

Trust in government institutions and governmental process has greatly diminished. Many companies seem to only be looking at the bottom line and investor returns.

All of the above causes human stress. Last night I watched a documentary by Dr. Sanjay Gupta (One Nation Under Stress – HBO) on stress. It addressed the casual factors of stress, how society and its support structures have diminished support for individuals and how this has led to a rise in the overall stress faced by individuals.

The documentary also looked at the neurological changes in the brain brought on by stress. One important impact was on the frontal lobe where brain connections were physically altered and impaired leading to a diminished ability to be empathetic.  Could this be related to the rise in mass shootings and other acts of violence in our recent past?

A correlation I have also seen, which is supported by the thesis and research in another couple of books (see The Distracted Mind by Adam Gazzaley and Reclaiming Conversation by Sherry Turkle) may be related to the use of smart phones by our youth and similar rise in cyber bullying and increased pressure to fit in, which is scored by the number of online friends you have and hits your posts may generate.

This is not the first time I have looked at trust related to cyber issues, but it made me think that it may be time to go back and re-read Steve M.R. Covey’s book The Speed of Trust and look at the steps he outline on how to regain trust.

The Corporate View of Cyber Risk

On other fronts, domestically in the United States additional cases have been reported where social engineering postings and robo postings by malicious actors are still in use for attempts to affect political candidates (both positively and negatively.  The Muller report has been released but only to the Department of Justice and U.S. Attorney General and all the details it may have regarding U.S. cyber security attacks against the 2016 election have not been made available to the public. It is not certain if or when those details will be made public.

I also see the continued struggle between the increased costs of vulnerability prevention and mitigation as compared to the real costs of exploits.  Attack disclosure including the associated impacts and costs is still very much considered dirty laundry and no one wants to have their dirty laundry exposed. Volunteer disclosures are simply not working. There is still no country-wide federal cyber security policy and no publicly declared efforts to create one.

I also still see the continued need to merge cybersecurity under the Enterprise Risk Management (ERM) umbrella with many large corporations doing that but few government agencies especially at the state level following suit. This is also true of small to medium sized businesses. There are still 4 open jobs for every skill/experienced cyber person and the need is continuing to expand but the growth in workforce has not been able to keep pace.  The good news is that there has been a rise in the female cyber workforce.

The bottom line, the situation is not bleak but we will need to continue to remain vigilant and focused on our work.